From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 518991FF14F for ; Wed, 17 Jun 2026 10:59:56 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D855E1A46A; Wed, 17 Jun 2026 10:59:53 +0200 (CEST) From: Dominik Csapak To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com Subject: [PATCH proxmox v3 3/6] client: use proxmox-http's openssl verification callback Date: Wed, 17 Jun 2026 10:59:15 +0200 Message-ID: <20260617085949.1528300-4-d.csapak@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260617085949.1528300-1-d.csapak@proxmox.com> References: <20260617085949.1528300-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.049 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [client.rs] Message-ID-Hash: CTOWKIM6NDT2JUOH7QK6GILUOVVYF3L7 X-Message-ID-Hash: CTOWKIM6NDT2JUOH7QK6GILUOVVYF3L7 X-MailFrom: d.csapak@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This changes the validation logic by always checking the fingerprint of the leaf certificate, ignoring the openssl verification if a fingerprint is configured. This now aligns with our perl implementation and the one for proxmox-websocket-tunnel. Before, a valid certificate chain would have precedence over an explicit fingerprint. Signed-off-by: Dominik Csapak --- proxmox-client/Cargo.toml | 2 +- proxmox-client/src/client.rs | 69 +++++++++++++----------------------- 2 files changed, 25 insertions(+), 46 deletions(-) diff --git a/proxmox-client/Cargo.toml b/proxmox-client/Cargo.toml index 6ca33420..5cbcecd8 100644 --- a/proxmox-client/Cargo.toml +++ b/proxmox-client/Cargo.toml @@ -25,7 +25,7 @@ openssl = { workspace = true, optional = true } proxmox-login = { workspace = true, features = [ "http" ] } -proxmox-http = { workspace = true, optional = true, features = [ "client" ] } +proxmox-http = { workspace = true, optional = true, features = [ "client", "tls" ] } hyper = { workspace = true, optional = true } hyper-util = { workspace = true, optional = true, features = [ "client-legacy" ] } diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs index 26913dbb..1a1d3fa8 100644 --- a/proxmox-client/src/client.rs +++ b/proxmox-client/src/client.rs @@ -12,6 +12,8 @@ use http_body_util::BodyExt; use openssl::hash::MessageDigest; use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode}; use openssl::x509::{self, X509}; +use proxmox_http::SslVerifyError; +use proxmox_http::get_fingerprint_from_u8; use proxmox_login::Ticket; use serde::Serialize; @@ -110,10 +112,29 @@ impl Client { TlsOptions::Insecure => connector.set_verify(SslVerifyMode::NONE), TlsOptions::Fingerprint(expected_fingerprint) => { connector.set_verify_callback(SslVerifyMode::PEER, move |valid, chain| { - if valid { - return true; + let fp = get_fingerprint_from_u8(&expected_fingerprint); + match proxmox_http::openssl_verify_callback(valid, chain, Some(&fp)) { + Ok(()) => true, + Err(err) => { + match err { + SslVerifyError::FingerprintMismatch { + fingerprint, + expected, + } => { + log::error!("bad fingerprint: {fingerprint}"); + log::error!("expected fingerprint: {expected}"); + log::error!( + r#"If this fingerprint has worked before, it is possible that it changed on the remote +side. This can happen, for example, if the remote rotates it's certificate regularly. +If you are sure no machine-in-the-middle attack (MitM) occurred, it is safe to set the +above 'bad fingerprint' as the new fingerprint for the remote."# + ); + } + _ => log::error!("{err}"), + } + false + } } - verify_fingerprint(chain, &expected_fingerprint) }); } TlsOptions::Callback(cb) => { @@ -539,48 +560,6 @@ impl HttpApiClient for Client { } } -fn verify_fingerprint(chain: &x509::X509StoreContextRef, expected_fingerprint: &[u8]) -> bool { - let Some(cert) = chain.current_cert() else { - log::error!("no certificate in chain?"); - return false; - }; - - let fp = match cert.digest(MessageDigest::sha256()) { - Err(err) => { - log::error!("error calculating certificate fingerprint: {err}"); - return false; - } - Ok(fp) => fp, - }; - - if expected_fingerprint != fp.as_ref() { - log::error!("bad fingerprint: {}", fp_string(&fp)); - log::error!("expected fingerprint: {}", fp_string(expected_fingerprint)); - log::error!( - r#"If this fingerprint has worked before, it is possible that it changed on the remote -side. This can happen, for example, if the remote rotates it's certificate regularly. -If you are sure no machine-in-the-middle attack (MitM) occured, it is safe to set the -above 'bad fingerpint' as the new fingerprint for the remote."# - ); - return false; - } - - true -} - -fn fp_string(fp: &[u8]) -> String { - use std::fmt::Write as _; - - let mut out = String::new(); - for b in fp { - if !out.is_empty() { - out.push(':'); - } - let _ = write!(out, "{b:02x}"); - } - out -} - /// Classify an HTTP client error into either a connection-establishment failure /// ([`Error::Connect`]) or a post-connection error ([`Error::Client`]). /// -- 2.47.3